[midPoint] AD password question

Aivo Kuhlberg aivo.kuhlberg at rmit.ee
Wed Aug 31 12:18:24 CEST 2016


Thanks, Michal, Roman,
I tried your solution Michal but seems that it does not work. Correct me if I am wrong but my understanding is that strength 'weak' works if there is no value present but I believe AD connector does not know anything about existing AD password and therefore is updating it every time when midPoint password is changed.
Roman your solution is very interesting and I try to implement it.

Best Regards,
Aivo Kuhlberg

________________________________
Saatja: midPoint <midpoint-bounces at lists.evolveum.com> nimelRoman Pudil - AMI Praha a.s. <roman.pudil at ami.cz>
Saadetud: 31. august 2016 12:22
Adressaat: midPoint General Discussion
Teema: Re: [midPoint] AD password question

Hi Aivo,
I have this solution - try:

- Remove "outbound" element from credentials
- create "after-add" action


After-Add action calls dsmod on cmdline of AD server:

    <scripts>
       <script>
           <host>resource</host>
           <language>Shell</language>
           <argument>
               <script>
                   <code>
                       currDN = '';
                       currADDispName = basic.stringify(basic.getExtensionPropertyValues(user, 'http://ami.cz/xml/ns/userExtension', 'currentADDisplayName'));
                       currADOrgUnit = basic.stringify(basic.getExtensionPropertyValues(user, 'http://ami.cz/xml/ns/userExtension', 'currentADOrgUnit'));
                       if (currADDispName != '' && currADOrgUnit != '') {
                            currDN = 'CN=' + currADDispName + ',' + currADOrgUnit + ',' + basic.getResourceIcfConfigurationPropertyValue(resource, 'Container');
                            log.info<http://log.info>('AD: Create NEW user {}', currDN);

                       }
                       return currDN;
                   </code>
               </script>
               <name>userDN</name>
           </argument>
           <argument>
               <script>
                   <code>
                       log.info<http://log.info>('Init Pwd of user {} = {}',user.getName(),basic.decrypt(basic.getPropertyValue(user, 'credentials/password/value')));
                       return basic.decrypt(basic.getPropertyValue(user, 'credentials/password/value'));
                   </code>
               </script>
               <name>initPwd</name>
           </argument>
           <code>
               IF "%userDN%" NEQ "" dsmod user "%userDN%" -disabled yes -pwd "%initPwd%" -mustchpwd yes
               exit
           </code>
           <operation>add</operation>
           <order>after</order>
       </script>
   </scripts>


Regards
Roman Pudil








st 31. 8. 2016 v 10:53 odesílatel Aivo Kuhlberg <aivo.kuhlberg at rmit.ee<mailto:aivo.kuhlberg at rmit.ee>> napsal:

Hi,
I am using midPoint 3.4 with .NET AD connector and here are my current schemaHandling password settings for AD connector:


         <credentials>
            <password>
               <outbound/>
            </password>
         </credentials>


These settings means that AD user password changes every time when it is changed in midPoint.
I do not want to manage AD users passwords at the moment with midPoint but I still want to set AD user password in situation when midPoint creates a new AD account. In all other sync situations AD password should not be changed. How should I implement that?

Thanks,
Aivo Kuhlberg

________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--

Roman Pudil
solution architect
gsm: [+420] 775 663 666
e-mail: roman.pudil at ami.cz

AMI Praha a.s.
Plánickova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: www.ami.cz


________________________________
Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud teavet.
This e-mail may contain information which is classified for official use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160831/9cccf713/attachment.htm>


More information about the midPoint mailing list